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AMENDMENTS TO THE CLAIMS 

Please amend claims 1,4-8, 10-13, 16, 18,and22-23,suchthatthestatusoftheclaims 

is as follows: 

1 . (Currently amended) A method for providing computer application security, the method comprising: 
identifying secured resources within a software application; 
grouping secured resources into user roles stored on data stores of a plurality of security 
brokers : 

generating creating a plurality of surrogate identifiers in the data sto r e data stores of the 

security brokers , each surrogate identifier being associated with one user role; 
associating users with user roles, each user being associated with one user role; and 
determining access rights to the secured resources for each user according to a 
corresponding surrogate identifier without disclosing the corresponding surrogate 
identifier to the user, the corresponding surrogate identifier being associated wdth 
, the one user role of the user, determining access rights further comprising: 

receiving a permissions request from a workstation and routing the permissions 
request to one of a plurality of security providers with one of the security 
brokers; 

authenticating a computer user as a valid user with one of tfie a plurality of security 
providers; and 

authorizing the user to access one of the secured resources vWth one of a plurality 

of security providers, providers; and 
receiving permissions requests from a s e cu r ity b r oke r with one of the security 

provid e rs. 
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2. (Previously presented) The method of claim 1, wherein identifying secured resources comprises: 

identifying functions within the software application to be secured, the identified functions 

being secured resources; and 
invoking a security call before permitting access to the secured resources. 

3 . (Previously presented) The method of claim 2, wherein identifying secured resources further comprises: 

installing an embedded module in the software application to capture the security call. 

4. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data sto r e links to each of the secured resources; 
selecting the links corresponding to related secured resources; 
grouping the selected links into user roles; and 
storing the user roles in the data stores data store . 

5. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data store links to each of the secured resources within the 

software application; 
selecting the links corresponding to related secured resources; 
grouping the selected links into privilege sets; 
grouping privilege sets and links into user roles; and 
storing the user roles in the data stores data store . 
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6. (Currently amended) The method of claim 1, wherein grouping secured resources into user roles 
comprises: 

establishing in the data stores data sto r e links to each of the secured resources within the 

software application; 
selecting the links corresponding to related secured resources; 
grouping the selected links into privilege sets; 
grouping privilege sets and links into job fimctions; 
grouping job functions, privilege sets and links into user roles; 
and storing the user roles in the data stores data sto r e . 

7. (Currently amended) The method of claim 1 , wherein creating generating a plurality of surrogate 
identifiers comprises: 

associating each surrogate identifier with one user role in the data stores data store ; and 
replicating each surrogate identifier in tiic data stores data stor e of a tiie security providers 
pr ovide r. 

8. (Currently amended) The method of claim 1 , wherein associating a us e r with a us er rol e users with user 
roles comprises: 

creating a list of user identifiers corresponding to existing users on a security provider; 
selecting user identifiers from the list; 

storing selected user identifiers in the data stores of the security brokers data sto r e ; and 
associating each selected user identifier with one user role, the user role being undisclosed 
to the user. 
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9. (Canceled) 

10. (Currently amended) The method of claim 1, wherein authenticating the computer user comprises: 

invoking programatically an embedded component within the software application when 

a secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
retrieving an identifier and a security provider name from the user via the platform 

coordinator; 

passing the identifier and the security provider name to the security broker; 
relaying the identifier to the security provider associated with the security provider name 
for authentication; 

evaluating automatically the identifier against a data store the security provider; 
returning an authentication result to the security broker; 

storing an authentication token with a time stamp in a cache of the security broker when 
authentication is successful, the authentication token created by the security broker 
based on the authentication result; 

retrieving the user role associated with the identifier from the data store of the security 
broker; 

retrieving the surrogate identifier associated with the user role fi'om the data store ofthe 
securitv broker : 

passing the surrogate identifier and a secured resource name from the security broker to 

the security provider; 
evaluating automatically the surrogate identifier against the data store of the security 

provider; 
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determining automatically permissions associated with the surrogate identifier on the 
security provider; 

returning an authorization result associated with the surrogate identifier to the security 
broker; 

creating automatically a permissions token on the security broker based on the 
authorization result; 

relaying the permissions token to the platform coordinator, the permissions token 
comprising both the secured resource and access rights; 

storing the permissions token with a time stamp in a cache on the platform coordinator; 
and 

relaying the access rights to the software application through the embedded component. 

1 1 . (Currently amended) The method of claim 1 , wherein once the user is authenticated, authorizing the 
user comprises: 

invoking programatically an embedded component within the software application when 

a secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
retrieving an authentication token from a cache on the platform coordinator; 
passing the authentication token and the resource name to the security broker; 
comparing the authentication token against the cache on the security broker to identify a 

matching authentication token, the matching authentication token being associated 

in the cache with the surrogate identifier; 
passing the surrogate identifier and the resource name from the security broker to the 

security provider; 
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evaluating automatically the surrogate identifier against the data store of the security 
provider; 

determining automatically permissions associated with the surrogate identifier on the 
security provider; 

retuming an authorization result associated with the surrogate identifier to the security 
broker; 

cr e ating generating automatically a permissions token on the security broker based on the 
authorization result; 

relaying the permissions token to the platform coordinator, the permissions token 
comprising both the secured resource and access rights; 

storing the permissions token with a time stamp in a cache on the platform coordinator; 
and 

relaying the access rights to the software application through the embedded component. 

1 2 . (Currently Amended) The method of claim 1 , wherein once the user is authenticated and autliorizcd 
to access the secured resource, determining access rights to one of the secured r e sourc e s further 
comprises: 

invoking programatically an embedded component v^thin the software application when 

the secured resource is accessed; 
passing a resource name identifying the secured resource through the embedded 

component to a platform coordinator; 
retrieving an authentication token from a cache on the platform coordinator; 
comparing the secured resource name with permissions tokens stored in the cache on the 

platform coordinator for a matching permissions token, the matching permissions 

token containing the secured resource name; and 
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relaying access rights associated with the matching permissions token to the software 
application through the embedded component. 

13. (Currently amended) A method for providing computer security, the method comprising: 
securing a plurality of resources within a software application; 
identifying each of the plurality of resources in a data store; 
selecting some of the plurality of resources; 
grouping selected resources into user roles in the data store; 
creating a plurality of user names and a plurality of aliases in the data store, each user name 

and each alias being associated with the same user role; 
replicating the plurality of resources, the user roles, the plurality of user names and the 

plurality of aliases in a plurality of data stores; and 
determining access privileges to the plurality of resources using an alias corresponding to 
a user name by virtue of the same one user role from one of the plurality of data 
stores, determining access privileges further comprising: 
authenticating a user on the system with one of a plurality of security providers; 
authorizing access rights to the secured resources m the software application wdth 

one of a plurality of security providers; and 
receiving a permissions request r equ e sts from one of a plurality of workstations 
and routing the permissions request to one of the security providers with 
one of a plurality of security brokers, from a sccui - ity brok e r with one of 
th e security provid e rs. 



14. (Canceled) 
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1 5 . (Previously presented) The method for providing computer security of claim 1 3 , wherein authenticating 
a user comprises: 

retrieving a user identifier; 

passing the user identifier to one of the plurality of security providers; 

verifying the user identifier against one of the plurality of data stores on one of a the 

plurality of security providers; and 
returning an encrypted authentication token. 

1 6. (Currently amended) The method for providing computer security of claim 1 3 , wherein authorizing 
access rights comprises: 

capturing a security call from the software application, the security call containing a name 

identifying a secured resource; 
retrieving a user identifier; 

passing the user identifier to a one of the securitv brokers secui ' ity broker ; 
retrieving one of the plurality of aliases from a data store of one of the securitv brokers Htc 

security broker , the retrieved alias corresponding to the user identifier; 
passing the retrieved alias to a one of the securitv providers s e cui ' ity p r ovid e r ; 
verifying the alias against one of the plurality of data stores on one of the plurality of 

security providers; 
returning an encrypted permissions token to the software application; and 
determining access rights to the secured resource according to the permissions token. 

17. (Previously presented) The method of claim 16 wherein retrieving a user identifier comprises: 

gathering information about a user for authorizing access to secured resources, the 
information selected from the group consisting of user name and password, 
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software token, hardware token, and digital signature. 

18. (Currently amended) A computer security system comprising: 

a plurality of computer workstations, each computer workstation having an operating 
system and a software application installed, the software application containing an 
embedded component; 

a plurality of security providers for receiving permissions requests, authenticating a 
computer user, md authorizing permissions available to the computer user, and 
receiving pemiissions requests, each security provider having a security data store 
containing data related to authentication and authorization; 

a plurality of authentication/authorization managers each associated with one of the security 
providers, for querying the security providers to authenticate the computer user 
and authorize permissions available to the computer user: and 

a plurality of security brokers for receiving permissions requests fi'om the workstations, 
routing permissions requests to one of the secu r ity p r ovide r s authentication/ 
authorization managers, and passing authorized permissions to the workstations 
and for d e t e rmining access rights to s c cuird rcsoui ' ccs in the softwai ' c application 
bas e d on th e p e rmissions re c e ived from one of th e security providers, each 
security broker having a data store containing data r e lat e d to permissions 
autlioriz e d by one of tlic s e curity providers , each security broker being a computer 
in network communication with the computer workstations and the security 
providers; 

wherein each computer workstation is capable of communicating with each security 
broker; and 

wherein each security broker is capable of communicating with each security provider 
through the associated authentication/authorization manager . 
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1 9. (Previously presented) The computer security system of claim 1 8, wherein the computer workstations 
further comprise: 

a platform coordinator installed on each workstation, the platform coordinator for routing 
permissions requests to security brokers, the platform coordinator capable of 
communicating with any one of the security brokers so that if one of the security 
brokers is unavailable, the platform coordinator can route the permissions requests 
to another security broker for proceeding with authentication and authorization. 

20. (Previously presented) The computer security system of claim 1 8, wherein the security brokers further 
comprise: 

a cache for storing an authentication token, the authentication token being used to retrieve 
a surrogate identifier associated with the authentication token. 

2 1 . (Previously presented) The computer security system of claim 1 8, wherein the security brokers route 
permissions requests programmatically to the security providers, each security broker being capable of 
routing permissions requests to any one of the security providers such that if one security provider is 
unavailable, the security broker can route permissions requests to another security provider. 

22. (Currently amended) The.computer security system of claim 1 8, wherein the security system further 
comprises: 

administration utilities for configuring, updating and maintaining the data store stores and 
the security data store stores , the administration utilities providing a single software 
application for maintaining user identifiers, setting and changing permissions, 
creating security events, and tracking system usage and security events within 
the security system. 
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23. (Currently amended) A process for authorizing access rights to secured resources in a software 
application, the process comprising: 

authenticating a computer user to a computer security provider via a user identifier 
corresponding to the computer user, the computer security provider returning a 
resuh to a security broker according to the user identifier[[ ]], the computer 
security provider being one of a plurality of security providers; 

storing the result on the security broker; 

retrieving a surrogate identifier from the security broker, the surrogate identifier 
corresponding to the result, the surrogate identifier being undisclosed to the 
computer user; and 

authorizing the surrogate identifier to the computer security provider, the computer security 
provider returning surrogate permissions to the security broker, the surrogate 
permissions corresponding to the surrogate identifier, the surrogate permissions for 
determining access rights to secured resources in the software application 
according to the surrogate permissions. 

24. (Previously presented) The process for authorizing access rights according to claim 23, wherein 
authorizing the surrogate identifier to the computer security provider comprises: 

passing the surrogate identifier to a security manager; 

querying for the surrogate identifier in a permissions list on the security provider using the 
security manager; 

determining surrogate permissions for the surrogate identifier according to the permissions 
Ust; and 

returning the surrogate permissions to the security broker. 
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25. (Previously presented) The process for authorizing access rights according to claim 24, wherein 
authorizing the surrogate identifier to the computer security provider further comprises: 

passing the surrogate permissions from the security broker to a platform coordinator; 
storing the surrogate permissions with a time stamp in a cache on the platform coordinator; 
relaying the surrogate permissions to an embedded component within the software 
application; 

passing the surrogate permissions to a function within the software application, the function 
capable of interpreting the surrogate permission; and 

interpreting the surrogate permission using the function to permit or deny access rights to 
the secured resource. 

26. (Previously presented) The process for authorizing access rights according to claim 23, wherein 
authenticating comprises: 

passing the user identifier from the security broker to a security manager; 
querying for the user identifier in an authentication list on the computer security provider 

using the security manager; 
determining validity of the user identifier according to the authentication list; and 
returning a result to the security broker. 



